* Jethro R Binks <[log in to unmask]> [2009-08-14 13:28]:
> > I know this was against AD, can anyone enlighten me, I believe
> > "distinguishedName" is an LDAP "attribute" that AD returns for each
> > request, unfortunately there doesn't seem to be an equivalent one for
> > Novell eDirectory. I have read a claim that Novell supports the
> > "operational attribute" entryDN that should be returned but using that
> > generates an error of undefined attribute so shib is clearly not getting
> > it.
Asking the vendor might help (the RFC in question is 5020),
maybe they also implemented their own pre-RFC variant of that.
> Use a directory browser to investigate what attributes an object has.
> Apache project has a GUI one. For the CLI, I have a script like the
> following which dumps out all attributes for a provided $user:
>
> args="-LLL -x -z 0 -H $ldapuri -D $binddn -w $bindpw"
>
> base="dc=ds,dc=strath,dc=ac,dc=uk"
> filter="(&(cn=$user)(objectClass=organizationalPerson))"
>
> ldapsearch $args -b $base -s sub $filter
No, operational attributes don't get returned unless explicitly asked
for, i.e. implicitly asking for all attributes by not specifying any
or explicitly asking for '*' won't get you operational atteributes.
$ man ldapsearch | fgrep '+'
If + is listed, all operational attributes are returned.
(This is with the OpenLDAP client, YMMV on platforms with other libs).
cheers,
-peter
|